According to a Law.com analysis, more than 100 firms have reported data breaches. The American Bar Association’s Model Rules of Professional Conduct and ethics opinions state that attorneys have a duty to take reasonable steps to protect their clients’ data. Unfortunately, these rules do not include any specific technical requirements that attorneys can reference. This puts attorneys in the difficult position of trying to determine what is sufficient when it comes to cybersecurity.

Even if the ABA provided technical specifications, the challenge is that cybersecurity is dynamic and continuously evolving. What was considered reasonable yesterday is not reasonable today, and today’s standards will be obsolete tomorrow. Also challenging is that reasonableness itself changes based on specific circumstances. What is reasonable for a large firm may not be reasonable for a small practice and vice versa. However, one thing is true across all practice sizes: cyber criminals are attacking professional service firms in order to access their client data, and cybersecurity is a critical part of any modern practice.